Follow Us On Social Media

A critical vulnerability has been discovered in the official Apple’s App Store and iTunes Store, affecting millions of Apple users.

Vulnerability-Lab Founder and security researcher Benjamin Kunz Mejri discovered an Application-Side input validation web vulnerability that actually resides in the Apple App Store invoice module and is remotely exploitable by both sender as well as the receiver.

The vulnerability, estimated as high in severity, has been reported to Apple Security team on June 9, 2015 and the company patched the issue within a month.

How the vulnerability works?

By exploiting the flaw, a remote hacker can manipulate the name value (device cell name) by replacing it with a malicious script code.

Now, if the attacker buys any product in the App Store or iTunes Store, the internal app store service takes the device value (which is actually the malicious code) and generates the invoice which is then sends to the seller account.

This results in an Application-side script code execution in the invoice of Apple.

In addition, remote hackers can manipulate the vulnerability through persistent manipulated context to other Apple store user accounts.

"The invoice is present to both parties (buyer & seller) which demonstrates a significant risk to buyers, sellers or apple website managers/developers," says the researcher. "The issue impact also the risk that a buyer can be the seller by usage of the same name to compromise the store online service integrity."

Successful exploitation of the bug could allow an attacker to perform a number of sensitive tasks, including